It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."
The problem might not lie in some stubborn dislike by technology professionals for innovative new products. The problem, CIOs and other experts agree, is that most organizations don't have a realistic, balanced or mature system for evaluating and making decisions about technology risk. Especially the risk that always comes with implementing something new.
"Somebody, typically in a line of business, has some SaaS product they want to use, and they provide a business case for it: 'Here's all the good stuff that can result from the use of this. It'll make my numbers. I can access it from anywhere,'" says Jay Heiser, an analyst at Gartner.
At that point, IT is asked to determine whether the software in question is safe to use. "Then starts a farcical attempt to prevent something bad from happening," says Heiser. Ensuring complete indemnification for any losses suffered in the event of a breach likely means inserting provisions into the vendor's standard contract. "These are cookie-cutter products; the company has 30,000 customers. They're not going to negotiate contracts," he says.
Next come questions about the cloud provider's security practices, but here again, Heiser says, it's difficult or impossible to construct a questionnaire that will fully determine that the provider will keep data secure. A site visit might be helpful, but the sheer volume of customers will make it impossible for the provider to welcome most of them. And even when you are standing at a provider's facility looking straight at its servers, that doesn't give you access to the person who wrote the code.
In short, there is no way to guarantee security, especially that of a cloud-based product, Heiser says. And therefore, IT professionals tend to take the simplest path and decline to give their approval, which in turn earns them a reputation as dream-killers. It's a setup that guarantees frustration on all sides, and one that's more than ripe for adjustment.
But changing it requires seriously rethinking how businesses work with IT to make technological decisions. That won't be easy, but here are some places to start.
1. Let CIOs Off the Hot Seat
Talk to any CIO long enough on the subject of technology risk, and one company name is likely to come up: Target. The retailer suffered a widely publicized data breach compromising a total of 110 million credit cards in December and January -- a number that's equivalent to more than one-third of the U.S. population, assuming all the cards belonged to different people. As the dust settled and lawsuits were filed, no one was surprised when Target CIO Beth Jacobs tendered her resignation.
Jacobs had been on the job about six years, putting her right at the average CIO tenure according to CIO magazine's 2014 State of the CIO survey. That's a fact worth noting because behind it lies a darker truth: Most CIOs assume they're always one big tech failure away from losing their jobs. "I don't know if she did a good job or not, but she got fired," Heiser says. "In practice, if something breaks, they'll go looking for a scapegoat." Because CIOs face that reality, he adds, it's easy to see why most of them are motivated to make "extremely conservative decisions."
"We have encrypted our systems and we audit stuff regularly," one CIO confides. "We've done our absolute best to make sure there is never a breach. Still, just like the Target CIO, if I stay here long enough, there will be a situation that I get blamed for."
2. Stop Asking the Wrong Questions
"I get a lot of questions from Gartner clients who want a definitive read as to whether some cloud system is 'secure' or not," Heiser says. "It's the wrong answer and the wrong question."
To begin with, there's no such thing as a perfectly secure system. "Inevitably, something will go wrong because you're a goalie and sometimes people will score," says Matt Powell, CIO at Kirshenbaum Bond Senecal + Partners, an advertising agency headquartered in New York. "What we do instead is talk about relative risk." Powell says he has read that the National Security Agency's standing posture is that all its systems have been compromised 100% of the time. If a government agency with legendary technical proficiency makes that assumption, he suggests, everyone else should too. Once you adopt that mindset, he says, "it's a matter of how much is at risk, and for how long."
Unfortunately, Heiser says, "there's no way to conceptualize risk." Even though many organizations, including Gartner, have tried to put a finger on risk profiles and scenarios, "there's no good way to quantify that," he says. "If you could tell the business there's a 5% chance in any year that your competitor could gain access to your data through this service and that was backed up by statistics, you could base a decision around that, but it's still going to be an emotional decision."
3. Start Weighing Risk vs. Reward
There's no reasonable way to make a good decision if all you're looking at are the bad things that can happen if a new system leads to a data breach or malfunction. A wise approach to IT management requires weighing that increased risk against the business benefits of adopting a new technology, as well as the business risk of not adopting it and losing an opportunity or a competitive edge.
Story continues on next page >
Let the Law Decide
When it comes to reducing technology risk, sometimes the law can be your best friend. For CIOs in the healthcare field, for example, the Health Insurance Portability and Accountability Act (HIPAA) can serve as a guide to what is and isn't acceptable risk; it can also provide a definitive argument for taking a strong security stance.
"HIPAA dominates everything we do," says Jason Thomas, CIO at Green Clinic, an all-physician-owned facility with six satellite locations headquartered in Ruston, La. "We use it to look at all decisions: Where is this coming from? Is patient data protected? Are we encrypting data before we send it to someone else? If we send it, do they have a business agreement with us and are they HIPAA-compliant?"
Deciding what does and doesn't qualify as "HIPAA-compliant" isn't as straightforward as one might think. "HIPAA has a lot of requirements, but they're very vague," Thomas says. "It was written almost 10 years ago and nobody really knows what it says. That's led a lot of people to be either very lax or very stringent where HIPAA is concerned. Some don't worry about encryption or auditing their access -- their interpretation is that it doesn't apply."
Green Clinic comes down on the stringent end of the spectrum, he says, and that has occasionally caused friction with both vendors and the doctors who want to buy their products. "There are a lot of sales reps out there, and they're frankly not always on our side," he says.
For example, Green Clinic's IT team insists on using encryption for all patient data. "We have a facility that does X-rays, and we had a vendor tell us they would set up their workstation, install their software, and that's how it needs to stay," Thomas says. From his point of view, having a device on-site handling patient data in a way he couldn't manage or encrypt was unacceptable. "I can't just have a workstation dropped at my door and everything's hunky-dory," he says.
Using HIPAA to insist on higher security standards has worked out for Thomas and his team. "I've had some vendors who've done it their way for 20 years keel over and do it the way we wanted," he says.
HIPAA works as a big stick only for those industries that fall within its domain. But nearly every industry has state or federal regulators it must answer to, and beyond that, a regime of contractual agreements. For instance, any organization that takes credit card payments directly must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Then there are contracts with business partners and clients. For example, at ad agency Kirshenbaum Bond Senecal + Partners, CIO Matt Powell can refer to client contracts when he needs to rein in employees' enthusiasm for new cloud-based products. When the creative team recently sought to start using a cloud-based imaging system that integrates with Adobe Photoshop, Powell said no because the new software would give the provider access to client data. "If it moves out of our ecosystem, it creates a contractual issue," he says. Worse, some cloud providers have terms of service that give them the right to reuse any uploaded data, something that's clearly out of bounds for anything belonging to clients.
In such situations, Powell may work to find a solution by, for instance, obtaining a written exception to the contract from the agency client. But that works only some of the time. "If the organization or technology provider hasn't structured their product in a way that provides the appropriate legal and technical protection, it becomes difficult to work with that product," he says.
When that happens, the internal conversation can be difficult, but Powell says it's easy to make his point: "My response is, 'Do you like your paycheck? It comes from clients writing us checks, and if a client fires us for being in breach of contract, it becomes harder to pay.'"
How can CIOs, without a big-picture view of the organization and its strategy, make judgments like these? They'd better get that big-picture view, advises Frank Petersmark, CIO advocate at management consultancy X by 2 in Farmington Hills, Mich., and former CIO at Amerisure Insurance, a 102-year-old property and casualty company with more than $600 million in direct premiums, also located in Farmington Hills. "You have to put technology risks into business terms," he says. "If there's a data breach and customers' information is out there, how will they feel about it? How will it impact sales or profitability?"
It's part of the new CIO role. "The CIO has evolved from CIO 1.0, techie person in the room where the lights are blinking and we don't know what they do," he says. "Now we're up to, I think, CIO 6.0, moving toward a full business partner with executive colleagues. You're expected to know the business domain of your organization as well as anyone who works there. And the reason is obvious. Technology is such an enabler or disabler now, that's the kind of IT leader they want."
4. Establish a Technology Risk Profile
Your corporate leaders, working with your company's financial advisers, have undoubtedly determined what their "risk appetite" is when it comes to investments -- how much loss they are willing to risk in pursuit of financial gain. They've likely done the same for their personal investments.
It's time to look at technology through the same lens. Petersmark suggests that IT could go to the C suite and say, "We've done some thinking about it and we can make a bigger splash in the marketplace if we are a little more open to risk. And we'd like you, Mr. or Ms. CEO, to help us think about it and give us a place on the continuum between market impact and business gain to risk of business loss."
A smart organization would take this approach, he says, "rather than just leaving it to the CIO to be like Caesar with the gladiators, always pointing thumbs up or thumbs down."
5. Learn to Live With Nuance
"If you want to embrace the cloud, you have to live with ambiguity," but it takes a mature organization to do that, Heiser says. "If the people making the decision truly understand that it's a nuanced decision and it's perfectly all right to run an acceptable level of risk, they can make good decisions. The organization needs to have a healthy culture that can handle an ambiguous decision. You can't have the CIO thinking, 'If it breaks, it will be my fault.'"
You should also have a nuanced view of the bad events that could occur if something goes wrong, Heiser adds. Target's experience notwithstanding, not all breaches are created equal. "Most security failures are not noticed and life goes on," he says.
Still, some IT leaders, careful of safeguarding both their companies' networks and their own jobs, try to get as close to "secure" as they possibly can. "Some technologists consider the concept of 'acceptable risk' to be an oxymoron. They're perfectionists," Heiser notes. At the other end of the spectrum are what he calls "fig leafers" -- people who figure that the standard security provided is likely to be good enough.
"The successful organization manages that conflict," he says. "The answer is somewhere between these extremes."
6. Start Sharing Both Credit and Blame
One profound problem with the way technological risk is often managed is that credit for the good outcomes and the bad outcomes isn't fairly apportioned. If IT approves a new cloud service that a business department wants, and the service increases sales or otherwise benefits the bottom line, then the business department that's using it will likely get the kudos and perhaps financial rewards as well. On the other hand, if the new system leads to a security failure or other malfunction, IT will get all of the blame.